Malware SEO Model Maturing
Many businesses may still find it hard to get their URLs to the top of Google's search results pages, but malware gangs are having more success than ever at tapping into people's interests and serving up attacks right where people go to looking for information about their favorite topics.
According to researchers with AV vendor Avast, malware distributors are constantly refining their SEO skills and accelerating the pace at which they hop on emerging news stories and tie their attacks to related search terms.
The experts have specifically uncovered a commercial-grade type business process that some of the leading malware SEO gangs have adopted, a set of tactics that keep these cyber-criminals on top of the latest and greatest trends in Google's GoogleRank system and ensure that more end users than ever will likely end up confronted by their work, Avast researchers said.
The networks involved typically involve "hundreds" of fake links that work through hijacked web sites to game Google's search algorithms. Many of the attacks still center on the use of rogue AV programs, a business that the FBI has already pegged as a $150 million per year malware vertical market.
Recent news events that triggered a lightening fast response from the malware gangs included former U.S. President Bill Clinton's heart surgery. As many as 70 individual URLs were rapidly incorporated in related attacks just after the news was announced.
"These guys had targeted keywords out on Bill Clinton within hours of the former president's heart operation. They have an extremely sophisticated understanding of search engine optimization," Jindrich Kubec, Avast director of antivirus research, said in a research note.
The expert said that the model his company has uncovered involves four distinct business processes and/or units that handle consumer-facing hijacked sites, SEO optimization, redirector sites, and the malware domains themselves, respectively.
Under the model, when someone searches on keywords targeted by the SEO attackers the results typically include many URLs that have already been hijacked and incorporated into redirection schemes.
The SEO "maximizing" unit often employs an entire network of hacked sites that have been loaded with invisible link-filled content, making them likely to turn up after users enter their terms in Google, Avast said.
The model also incorporates intermediary sites, which are also typically hijacked domains that actually connect the Google results with sites offering up fake AV or whatever content the attackers are attempting to pass along. The fourth business unit or process is involved in control of the fraudulent URLs themselves.
This refined methodical approach to SEO manipulation and attack is increasingly popular and likely to keep working unless end users suddenly smarten up and change their willingness to visit unknown or questionable sites, or security firms can work more closely with Google, Kubec said.
"In the ideal world, we would work with Google to adapt their search algorithms to find and remove the infected sites," he said.
With Google likely still reeling from the fallout of the recent "Operation Aurora" attacks that successfully infiltrated its internal networks, perhaps the search giant is open to expanding its already significant security operations once again.
Let's hope so.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.